Authentication Bypass in Chamilo LMS Open-Source Learning Management System Version 2.0-RC.2
CVE-2026-33715

7.2HIGH

Key Information:

Vendor: Chamilo
Status: Chamilo-lms
Vendor: CVE Published:; 14 April 2026

What is CVE-2026-33715?

Chamilo LMS, an open-source learning management system, faces a significant security issue in version 2.0-RC.2 due to unauthenticated access to the public/main/inc/ajax/install.ajax.php file. Unlike other AJAX endpoints, this file does not incorporate necessary authentication checks. The vulnerability enables an attacker to leverage the test_mailer action to connect to arbitrary SMTP servers via a provided Symfony Mailer DSN string, thus facilitating Server-Side Request Forgery attacks against internal networks. An unauthorized attacker could exploit this flaw to turn the Chamilo server into an open email relay, potentially launching phishing or spam campaigns with emails appearing to originate from the legitimate IP address of the server. Furthermore, error messages returned from failed SMTP connections can leak details about the internal network's architecture and active services. The vulnerability has been remedied in version 2.0.0-RC.3.

Affected Version(s)

chamilo-lms >= 2.0-RC.2, < 2.0-RC.3

References

https://github.com/chamilo/chamilo-lms/security/advisorie...

x_refsource_CONFIRM

https://github.com/chamilo/chamilo-lms/releases/tag/v2.0....

x_refsource_MISC

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 14, 2026
Vulnerability Reserved
Mar 23, 2026

CVE-2026-33715 Data

JSON